The present invention relates generally to data packet sampling within a local area network and more specifically to improved sampling in a secure computer network.
Networks of computers are commonly used in today's business environment. One common network system structure uses one or more repeaters. The repeater typically includes several ports. A particular data packet received at one port is retransmitted from the other ports of the repeater. Each repeater restores timing and amplitude degradation of data packets received on one port and retransmits them to all other ports, and hence over the network. For networks employing a CSMA/CD-type of network, such as an Ethernet network, every data packet passes through every repeater. Network administrators are thereby able to conveniently use each repeater as a device on the network from which to gather information concerning the operation of the network.
In traditional Ethernet (802.3 10BASE5) and Cheapernet (802.3 10BASE2), a coaxial cable provides a linear bus to which all nodes of a local area network are connected. A standard promulgated by the IEEE (IEEE Standard 802.3) defines various functionality for computer networks. This standard is expressly incorporated by reference for all purposes. Signaling is accomplished using a current synch technique wherein a center conductor of the coaxial cable is used for a signal and a shield conductor of the coaxial cable is used for a reference voltage (typically ground). Twisted pair Ethernet (802.3 10BASE-T) uses a standard voice grade telephone cable rather than the coaxial cable. The telephone cable uses separate pairs of conductive wires for transmission and reception.
When using twisted pair Ethernet, the network configuration is a star topology. The star topology provides for several end stations or data terminal equipment (DTE) devices all coupled to a multiport repeater located at a center of the star. The repeater performs signal amplitude and timing restoration. The repeater receives a bitstream at one Of its ports and restores signal amplitude levels and timing requirements. The repeater repeats the reshaped and retimed input bitstream to all of its other ports. In one sense, the repeater acts as a logical coaxial cable, permitting every node connected to the twisted pair network to receive each transmission from any other node, just as when a coaxial cable is used. The pairs of conductors use differential signaling, one pair for transmission and another pair for reception.
While a repeater is used in a traditionally wired coaxial Ethernet network as a mechanism to extend the physical distance limit of the network, in the IEEE 802.3 10BASE-T, the standard mandates the use of a repeater to provide connectivity between nodes whenever more than two nodes are present. Although physical signaling on the cabling differs between the traditional Ethernet-type of repeater and the twisted pair-type of repeater, the functionality of the repeaters are identical, as is the frame or packet format that is used to pass messages between the participating nodes on the network.
The frame commences with a preamble sequence which is an alternating ("1" and "0") pattern. The preamble sequence provides a single frequency on the network, in this case five megahertz (MHz) at the start of each frame, allowing a receiver to acquire and lock onto the associated bitstream. The preamble sequence is followed by a start of packet identifier that immediately precedes the data portion of the transmission. Either a start of frame delimiter (802.3) or synch sequence (Ethernet) delineates the start of the data portion of the message. Following the start of packet identifier are two address fields: a destination address (DA) and a source address (SA). These addresses are both forty-eight bit values and are transmitted least significant bit (LSB) first.
A media access controller (MAC) associated with each DTE uses the destination address to determine whether an incoming packet is addressed to the node it is associated with. When a receiving node detects a match between its own node address and an address transmitted in the destination address field, it attempts to receive the packet. Nodes having a MAC that does not detect a matching address typically ignore a remainder of the packet.
There are three types of destination addressing supported by the 802.3 standards:
1. Individual. The DA field contains an individual and unique address assigned to a single node on the network. PA1 2. Multicast. When the first bit (LSB) of the DA is set, the remainder of the DA includes a group address. The group of nodes that are actually addressed is determined by a higher layer function. In general, use of a group address is designed to transmit a message to a logically similar subset of nodes on the network. PA1 3. Broadcast. The broadcast is a special form of multicast address wherein the DA field is set to all "1's." This address is reserved, and all nodes on the network must be capable of receiving a broadcast message.
The MAC that transmits a data packet writes its own address into the SA field. This allows the transmitting MAC to identify those packets which it originates. The 802.3 standards do not require that a receiving MAC take any action based upon the SA field. In some applications, such as management, security or configuration, the SA field may be tracked and monitored.
A two-byte length/type field follows the SA field. The choice of length or type is dependent upon whether the frame is compatible with the IEEE 802.3 or the Ethernet standard. A higher order byte of the length/type field is transmitted first, with the LSB of each byte transmitted first.
A data field contains actual packet data that is transferred between end stations and is between forty-six to fifteen hundred bytes in length. A logical link control (LLC) function is responsible for fragmenting data into block sizes suitable for transmission over the network. Data bytes are transmitted sequentially with the LSB of each byte transmitted first.
A frame check sequence (FCS) is a four-byte field that contains a cyclic redundancy check (CRC) for the entire frame. The transmitting station computes the CRC throughout the DA, the SA, the length/type field, and data field. The transmitting station appends the FCS as the last four bytes of the frame. A receiving station uses the same CRC algorithm to compute the CRC for a received frame. The receiving station compares the CRC value it computes with the CRC value in the transmitted FCS. A mismatch indicates an error, such as a corrupted data frame. CRC bits of the FCS are transmitted in order: most significant bit (MSB) to LSB.
FIG. 1 and FIG. 2 are diagrams illustrating frame formats for an IEEE 802.3 Standard compliant frame and an Ethernet frame, respectively. Comparing the frame formats illustrates that a primary difference between the frame types is that the start of frame delimiter (SFD) for 802.3 is defined as a byte that has a "10101011" pattern whereas the start frame (synch) of Ethernet is a "11" sequence. Even so, in both cases, a total number of bits for the preamble plus the start of frame indication is sixty-four bits long.
The 802.3 and Ethernet standards both specify that a frame must be in the range of sixty-four to fifteen hundred eighteen bytes (excluding preamble/SFD). However, the actual data field in the 802.3 system is permitted to be smaller than the forty-six byte value that is necessary to ensure this minimum size. To handle a smaller size data field, the MAC of a transmitting station appends pad characters to the LLC data field before sending data over the network. The Ethernet standard assumes that an upper layer ensures that the minimum data field is forty-six bytes before passing data to the MAC, therefore the existence of appended pad characters in unknown to the MAC implementing an Ethernet format.
The 802.3 standard also uses a length field that indicates the number of data bytes that are in the data field only. Ethernet, on the other hand, uses a type field in the same two bytes to identify the message protocol type. Since valid Ethernet type fields are always assigned outside of the valid maximum 802.3 packet length size, both 802.3 and Ethernet packets can coexist on the same network. Hence, it has been found that it is important to be able to track and monitor the addresses for a variety of reasons. For example, for secure networks it may be important that authentication is required to ensure that the appropriate nodes on the network receive the information. In addition, as networks change in the number of nodes attached thereto, it becomes important to be able to associate an address with a particular port or the like within the network.
It is also important in secure networks to selectively prevent a node from receiving such address information unless the node requires the information. If a data packet is not destined for a particular node, the particular node generally does not have a need for information within the data packet.
Further, it is important to provide a mechanism to associate the addresses of each port of a repeater with the actual port number or identity of the device. Typically, unsecured repeaters are devices that are just used for signal amplitude and timing restoration. In all of the above-mentioned modes, the secure repeater must also be provided with the capability to detect and interpret the various fields within data packets that: are transmitted on the network.
As described above, every data packet transmitted in the computer network includes a destination address to identify the recipient of the data packet. A secure repeater in a secure network may have one or more end stations attached to each port. Each end station has one unique address assigned, and possibly one or more multicast addresses. The secure repeater maintains a list of associated end stations for each output port. The security systems identified in the incorporated references use the destination address field from each data packet to route a data packet to only those output ports associated with the destination address. Output ports of the repeater associated with a destination address not matching the destination address receive a modified, or disrupted, data packet.
Managed repeaters include a management unit attached to an output port of the repeater. Since all data frames transmitted between end stations must pass through the repeater, the management unit may conveniently monitor and accumulate statistics about the operation and performance of the network.
A conventional managed repeater processes received data packets as follows. A data packet is received at an input port of the repeater. The repeater retransmits the data packet to a MAC of a management unit attached to an output port of the repeater. The MAC strips preamble information and the SFD from the retransmitted data packet and performs error checking on the remainder of the data packet. The MAC writes the data packet into a memory, such as a RAM. A microprocessor of the management unit reads the contents of the memory and processes it to extract statistics about the data packet. The MAC either writes an entire frame or no part of the frame. The decision to write is based upon whether an error was detected, or whether there was a match between the MAC address and the destination address field of the data packet.
In some instances, there may be thousands of data packets passing through the repeater every second. Based upon the procedure outlined above, a very large memory, a high performance microprocessor, and a high bandwidth bus are required for the management unit to adequately process all the traffic on the network.
While processing every packet to gather statistics about the network provides a good picture of how the network is performing, providing the management unit with resources to adequately process every packet is often too costly of a solution.
A network administrator is able to develop an acceptably accurate profile of the network performance by extracting statistics from a subset of all the data packets, provided that the subset is properly selected. Depending upon the packet selection criteria, the network statistics developed from the subset of packets reflects the network performance as a whole.